Loading…
Company: CQURE clear filter
Saturday, September 12
 

10:30am CDT

Breaking Identity at Scale: From DPAPI & TBAL Secrets to Full Domain Compromise
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Modern enterprise environments continue to rely on implicit trust within identity and credential protection mechanisms such as DPAPI, DPAPI-NG, and token-based authentication layers. While these technologies are designed to safeguard secrets, they also introduce powerful attack surfaces when combined with misconfigurations, weak privilege boundaries, and overlooked trust relationships.


This session presents a deep technical exploration of how attackers extract and abuse protected credentials at scale, moving from local access to full domain compromise. We demonstrate novel techniques for decrypting DPAPI-protected data, abusing TBAL-related key material, and chaining these with authentication protocol weaknesses such as NTLM and Kerberos to achieve lateral movement and privilege escalation.


Unlike traditional approaches that focus on single techniques, this research connects multiple layers of identity abuse into a cohesive attack path observed in real-world environments. Attendees will see how seemingly isolated weaknesses: credential storage, token handling, and protocol trust, combine into high-impact attack chains.


The session also provides defensive strategies, including detection opportunities, hardening approaches, and architectural changes to reduce reliance on implicit trust. The goal is to shift defenders from reactive detection to proactive identity security design.
Speakers
avatar for Paula Januszkiewicz

Paula Januszkiewicz

CEO and Founder, Microsoft MVP and RD, CQURE
Paula Januszkiewicz is the Founder and CEO of CQURE and CQURE Academy, globally recognized organizations delivering cutting-edge cybersecurity consulting and advanced training since 2008. She is an Enterprise Security MVP, Microsoft Regional Director, and one of the world’s leading... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Reconstructing Reality: Advanced USN Journal Extraction and Full-Fidelity Correlation with MFT
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
The NTFS USN Journal remains one of the most underutilized yet powerful forensic artifacts in Windows environments. While widely known, its practical use is often limited by incomplete parsing, lack of context, and the inability to correlate it effectively with other filesystem structures such as the Master File Table.
This session challenges long standing forensic assumptions about how filesystem evidence should be interpreted. Traditional approaches treat artifacts such as the USN Journal and the Master File Table as separate and partially reliable sources of truth. Our research demonstrates that this model is fundamentally flawed.
Many widely used forensic tools silently ignore critical fields, leading to incomplete or misleading conclusions. As a result, investigators often rely on partial visibility when reconstructing attacker activity.
We introduce a comprehensive approach to extracting, parsing, and operationalizing USN Journal data at scale, using full field analysis to reconstruct detailed file system activity. A key contribution of this work is a novel correlation model between USN Journal entries and Master File Table records, enabling investigators to rebuild complete timelines with significantly higher accuracy.
By combining these artifacts and analyzing all available metadata, we show that it is possible to detect inconsistencies, uncover hidden attacker activity, and validate events that would otherwise remain ambiguous or invisible.
This approach redefines how filesystem forensics should be performed, transforming fragmented artifacts into a unified and reliable representation of system activity. The techniques presented are actively used in real world incident response and threat hunting engagements, where precision and speed are critical.
Speakers
avatar for Paula Januszkiewicz

Paula Januszkiewicz

CEO and Founder, Microsoft MVP and RD, CQURE
Paula Januszkiewicz is the Founder and CEO of CQURE and CQURE Academy, globally recognized organizations delivering cutting-edge cybersecurity consulting and advanced training since 2008. She is an Enterprise Security MVP, Microsoft Regional Director, and one of the world’s leading... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk
 
Blue Team Con 2026
From $0.00

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Thursday, September 10
Saturday, September 12
Microsoft Technology Center (Aon Center)
Swissôtel Chicago
  • Talk
  • Training
  • Company
  • Abstract
  • Acalvio
  • Amazon
  • Beazley Security
  • Black Hills Information Security
  • Bloom security
  • Broadcom
  • C Spire
  • Campbell Clinic
  • Coalfire
  • CQURE
  • Critical Path Security
  • Data Defenders
  • Dataminr
  • Daylight Security
  • DHS/CISA
  • EXOS
  • First National Bank of Omaha (FNBO)
  • Flare
  • Fortune 150 Food & Bev Manufacturer
  • GetReal Security
  • Horizon Secured
  • Invisible Technologies
  • LevelBlue
  • Liberty Mutual Insurance
  • Nationwide
  • Netwrix
  • Notion
  • Pixee AI
  • Push Security
  • Rapid7
  • Reflex Security
  • Reversec
  • Revology
  • SCYTHE
  • Semperis
  • Spacewalk.ai
  • SpecterOps
  • StoneX
  • TrustedSec
  • Webflow
  • WiCyS Wisconsin
  • Zelis Healthcare
  • Audience
  • Advanced
  • Beginner
  • Early Career
  • Intermediate
  • Subject
  • Application Security / DevSecOps
  • Career Matters
  • Governance / Risk / Compliance
  • Management / Leadership
  • Physical Security
  • Resilience
  • Security Operations / Tools
  • Threat Hunting and Red Teaming
  • Threat Intel and DFIR
  • Vulnerability Management